feat(go): cleanup user extclients;

1. On disabling a user, remove all their extclients.
2. Add comments and rename variables to clarify the user group extclient cleanup function.

controllers/user.go

@@ -816,6 +816,28 @@ func disableUserAccount(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 	}
 
+	go func() {
+		extclients, err := logic.GetAllExtClients()
+		if err != nil {
+			logger.Log(0, "failed to get user extclients:", err.Error())
+			return
+		}
+
+		for _, extclient := range extclients {
+			if extclient.OwnerID == user.UserName {
+				err = logic.DeleteExtClientAndCleanup(extclient)
+				if err != nil {
+					logger.Log(0, "failed to delete user extclient:", err.Error())
+				} else {
+					err := mq.PublishDeletedClientPeerUpdate(&extclient)
+					if err != nil {
+						logger.Log(0, "failed to publish deleted client peer update:", err.Error())
+					}
+				}
+			}
+		}
+	}()
+
 	logic.ReturnSuccessResponse(w, r, "user account disabled")
 }
 

pro/controllers/users.go

@@ -5,15 +5,16 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/gravitl/netmaker/pro/idp"
-	"github.com/gravitl/netmaker/pro/idp/azure"
-	"github.com/gravitl/netmaker/pro/idp/google"
-	"github.com/gravitl/netmaker/pro/idp/okta"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 
+	"github.com/gravitl/netmaker/pro/idp"
+	"github.com/gravitl/netmaker/pro/idp/azure"
+	"github.com/gravitl/netmaker/pro/idp/google"
+	"github.com/gravitl/netmaker/pro/idp/okta"
+
 	"github.com/google/uuid"
 	"github.com/gorilla/mux"
 	"github.com/gravitl/netmaker/database"

pro/logic/user_mgmt.go

@@ -1079,10 +1079,10 @@ func UpdatesUserGwAccessOnRoleUpdates(currNetworkAccess,
 	}
 }
 
-func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) {
+func UpdatesUserGwAccessOnGrpUpdates(oldNetworkRoles, newNetworkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) {
 	networkChangeMap := make(map[models.NetworkID]map[models.UserRoleID]struct{})
-	for netID, networkUserRoles := range currNetworkRoles {
-		if _, ok := changeNetworkRoles[netID]; !ok {
+	for netID, networkUserRoles := range oldNetworkRoles {
+		if _, ok := newNetworkRoles[netID]; !ok {
 			for netRoleID := range networkUserRoles {
 				if _, ok := networkChangeMap[netID]; !ok {
 					networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
@@ -1091,7 +1091,7 @@ func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[mo
 			}
 		} else {
 			for netRoleID := range networkUserRoles {
-				if _, ok := changeNetworkRoles[netID][netRoleID]; !ok {
+				if _, ok := newNetworkRoles[netID][netRoleID]; !ok {
 					if _, ok := networkChangeMap[netID]; !ok {
 						networkChangeMap[netID] = make(map[models.UserRoleID]struct{})
 					}
@@ -1112,7 +1112,13 @@ func UpdatesUserGwAccessOnGrpUpdates(currNetworkRoles, changeNetworkRoles map[mo
 	for _, extclient := range extclients {
 
 		if _, ok := networkChangeMap[models.NetworkID(extclient.Network)]; ok {
+			// this extclient's network was removed from group's network roles.
 			if user, ok := userMap[extclient.OwnerID]; ok {
+				// super-admins and admins have complete access to the network.
+				// platform users, at the very least, have access to connect to
+				// the network.
+				// service users have no access to the network.
+				// hence, we delete the extclient and clean up the peers.
 				if user.PlatformRoleID != models.ServiceUser {
 					continue
 				}